Data Privacy and the DB: Covenant Amendments Passed

Data Privacy and the DB: Covenant Amendments Passed

05/23/2018,
8:04 PM,
Justicar - Chamber of Justice

For the past week and a half, the Dark Council has been discussing the potential impact of the EU's new General Data Protection Regulation (GDPR) on the DB. Some of you may be aware of the GDPR through work or the news, but even if you aren't familiar with it I'm sure you've seen its effects in the last few weeks as companies scramble to revise their privacy policies and data collection practices. Below, I will explain in more depth why it is necessary for us to make changes as well.

We have identified a number of steps that are required to bring the DB into compliance with the GDPR. Most of the changes will be fairly painless and simply involve shifting from an implied consent standard (e.g., signing up for the club = consent to be contacted) to an affirmative consent standard (e.g., you must now click a checkbox to affirmatively consent to be contacted by the DB when signing up). You will all see some of these changes roll out over the next few days as James works his magic.

There are two more complex issues that necessitated amending the Covenant. The first and most significant is the imposition of a new minimum membership age (16 years old) along with stricter enforcement of parental consent requirements. The second is the implementation of the EU's new "right to be forgotten," which requires us to amend our current policy limiting dossier removal.

But I don't want to bury the lede: I presented proposed amendments to the Electorate Monday morning. After the mandatory 48 discussion period ended today, I called for a vote. The amendments passed by a vote of 15 to 1.

As a result, all DB members must now be at least 16 years old or provide written parental consent for membership. This rule applies to everyone regardless of citizenship or residency, and no one is grandfathered-in. Mav and I will be reaching out to those whom we believe to be under 16 to explain the rule change and give them an opportunity to obtain parental consent before GDPR goes into effect on Friday.

What is GDPR and why does it matter? (warning: many words)

The GDPR is the EU's new data protection regulation, and it becomes enforceable on May 25th. In brief, and as relevant for our purposes, the GDPR imposes new, strict requirements for obtaining lawful consent to use an EU resident's personal data, including email addresses, usernames, and IP addresses. It also grants a "right to be forgotten," which gives EU residents a nearly-absolute right to have their personal data corrected or deleted.

The GDPR clearly applies to all commercial entities, but carves out an exception for data processing by "a natural person in the course of a purely personal or household activity." That exception might cover what we do here: we are engaged in purely social and artistic pursuits with no commercial, political, or charitable angle. Unfortunately, the EU's prior privacy Directive, which GDPR supersedes, included the same "purely personal or household activity" exception, and it was interpreted very strictly: even social network users with large numbers of third party contacts can fall outside the scope of the exception and be fully subject to the regulation, as absurd as that might seem. For example, under the GDPR, a Facebook user with thousands of "friends" would be required to obtain affirmative consent from those "friends" to be able to use any of their personal data including names and photos; that Facebook user would also be required to delete all of a "friend's" data from his account if requested, or be subject to fines.

The GDPR purports to apply worldwide, which means that even US-based organizations could be subject to EU enforcement actions for violating the regulation. Maximum penalties for violations of the GDPR can reach 20 million euros. It's fairly unrealistic to think the DB would ever incur such a penalty. Likewise, it isn't clear, as a practical matter, how the EU would directly enforce the GDPR in the US. Instead, the real threat is that our web hosting service or any other data processing service that our site uses might cut us off to protect their own EU-based assets.

If you conceive of risk as a function of the probability of a harm times the magnitude of that harm, then this is a high risk situation for the club not because it's likely to become a problem but because if it ever does become a problem it could be catastrophic. As such, I think it's important that we make a good faith effort to comply with the Regulation's basic requirements. Most of those changes are being handled behind the scenes and will involve asking all DB members to affirmatively consent to the DB storing their data and using their contact methods. Two changes, however, required amending the Covenant:

Parental Consent Necessary Up to 16

The GDPR requires affirmative consent to data processing/contacting. For children under the age of 16, that consent can only be provided by a parent. This is similar to current US law, which requires parental consent for those under 13, though it covers more of our membership. Thankfully, the GDPR doesn't require us to ask everyone who signs up if they're old enough; we only have to "make reasonable efforts," when we learn of an underage signup, "to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology."

The original Covenant did not set a minimum membership age. However, because the GDPR prohibits us from processing any EU resident data without affirmative consent -- and without knowing how strictly these provisions will be enforced -- we cannot simply turn a blind eye to underage joins. Therefore, I proposed a new minimum age of 16 years old, along with the authority for the GM + JST to lock down dossiers belonging to anyone determined to be under 16 who does not have parental consent to be a member. This change applies to all members, regardless of country of residence, for three primary reasons: first and foremost, I'm very uncomfortable with the idea of setting different rules for members based on residency or citizenship (or, frankly, even asking for that information); second, I think it is preferable to limit the amount of personal information that the DB collects about its members; and, third, it is simply very difficult to determine the residency of magic internet space wizards.

Right to Be Forgotten

The second Covenant change enacts the GDPR's new "Right to be Forgotten." Previously, we permitted a single dossier deletion for non-convicted members and absolutely prohibit deletions for convicted members. The amended Covenant now permits an unlimited number of dossier deletions by anyone (again, not based on residency), with the understanding that we will retain limited non-public information (username, email, IP addresses, etc.) for convicted members for the purpose of protecting the the integrity of the DB's information systems and membership rolls. Limits on the creation of new dossiers will remain in effect.

The Amended Sections

Amended Section 2.01(b)
Right to Membership – Every person that follows the rules of this Covenant and has signed up for and agreed to the terms and conditions of joining the Brotherhood has the right to be a member of the Brotherhood, provided that they are at least 16 years of age or have sent written parental consent for membership to the Grand Master, Justicar, and Master at Arms. Violations of the Covenant may result in a loss of the right to membership.

New Section 2.01(b)(i)
Disposition of Underage Dossiers – When the Grand Master determines that a person under the age of 16 has created a dossier without providing written parental consent for membership, the Grand Master shall, with the agreement of the Justicar, immediately suspend the dossier from all positions within the Brotherhood, deactivate the dossier, remove access to the database, and remove the dossier's contact methods from all modes of Brotherhood communication or other media (such as gaming servers).

New Section 2.01(b)(ii)
Notification and Restoration of Underage Dossiers – The Grand Master shall immediately notify the person who created the suspended dossier of the suspension and inform the person that the dossier will be restored when (1) written parental consent for membership is provided to the Grand Master, Justicar, and Master at Arms; or (2) the person is at least 16 years of age.

Amended Section 2.02(b)
Removal of Dossier – A member has the right to have his dossier permanently removed from the Brotherhood website subject to limitations outlined in this Section. However, a person that requests removal of his dossier does so with the understanding that it is permanent and the dossier will never be permitted to be restored. Upon removal of the member’s dossier, the person no longer has any rights of members under the Covenant. For the purpose of clarity, the term “removed” is used instead of “deleted” in this section because the data from dossiers may remain in encrypted backup data of the website and there is no way to delete all dossier references. Therefore, the active website will have no record of the dossier, as the dossier will have been removed from the active website. In the unlikely event that a previously-removed dossier is restored to the active website via a backup, that dossier will be removed as soon as possible.

Amended Section 2.02(e)
Limitations on Creation of New Dossiers – There is no limit on the number of times a member may have a dossier removed. However, use of the right to have a dossier removed to illicitly restart a dossier when prohibited by the Covenant or without permission from the Master at Arms is a form of cloning and subject to penalties through the Chamber of Justice.

Amended Section 2.02(f)
Limitations on Removal of Dossiers for Members Convicted by the Chamber of Justice – Notwithstanding the right of all members to have a dossier removed, information related to members convicted by the Chamber of Justice including character names, contact methods, IP addresses, and records of any investigations and trials, will be maintained in a non-public form for the purposes of protecting the integrity of the Brotherhood’s data systems and preventing the fraudulent creation of new dossiers. If a previously-convicted member creates a new dossier, the new dossier will be removed and the member will be charged with cloning. No honors or medals on the new dossier will be transferred to the old dossier.

These changes are now in effect. The wiki will be updated soon to reflect the changes, but until then please refer to this news post if you're looking for the new rules.

I want to be perfectly clear that none of these changes were prompted by the actions of any particular member, and that locking-down underage dossiers is not a punishment and does not reflect any wrongdoing on the part of the person who created it. If a person under 16 has a dossier locked down and later turns 16 or provides parental consent, the dossier will be fully restored including awards, rank, etc.